adn-agov-iam-admin-project/patterns/488949a743edb1f46f73f232_sc.../setUserExtIdFromAssertion.g...

60 lines
3.5 KiB
Groovy
Raw Permalink Normal View History

2024-10-21 08:11:34 +00:00
try {
def s = request.getAuthSession(true)
2024-11-22 07:41:13 +00:00
LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
2024-10-21 08:11:34 +00:00
2024-11-22 07:41:13 +00:00
// set operation's account extId and profile extid
2024-10-21 08:11:34 +00:00
if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
response.setResult('error');
return
}
response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
2024-11-22 07:41:13 +00:00
// extract additional attributes from assertion in session
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {
response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])
}
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {
response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])
}
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {
response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
}
if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {
response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])
}
2024-10-30 16:44:03 +00:00
// we take the first one, if there is no profile in the operations unit
def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
.split(',').find{pairstr -> pairstr.split("\\\\")[1] == "${var.operations-unitExtId}" }
?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]
2024-10-21 08:11:34 +00:00
2024-10-30 16:44:03 +00:00
if (! unitAndProfileExtidPar.contains('${var.operations-unitExtId}') )
{
LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
2024-10-21 08:11:34 +00:00
}
2024-10-30 16:44:03 +00:00
response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
2024-11-22 07:41:13 +00:00
// ad role based on agov aq level
def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',
'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',
'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',
'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',
'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'
]
if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {
response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])
}
2024-10-21 08:11:34 +00:00
response.setResult('ok');
} catch(Exception ex) {
LOG.warn("Exception in selectProfile groovy script: " + ex)
response.setResult('error');
}